Security administrators should block the IoCs on all applicable security solutions post validation.įortinet customers are strongly recommended to upgrade to the FortiOS version 6.4.12 and later, FortiOS version 7.0.10 and later, or FortiOS version 7.2.4 and above as soon as possible, after appropriate testing. The attackers have also shown "advanced capabilities" such as reverse-engineering components of the FortiGate devices' operating system. In addition, Fortinet concluded that the attacks were extremely focused, with some evidence that the threat actors targeted government networks.
If this malware receives an ICMP packet with the string " 7(Zu9YTsA7qQ#vm," it can then exfiltrate data, download and write files, or open remote shells. These Fortigate firewalls were breached via a FortiManager device on the victim's network, as all of them stopped simultaneously, using the same tactics, and the FortiGate path traversal exploit was initiated along with scripts run via FortiManager.ĭuring analysis, it was discovered that the attackers changed the firmware image of the target device (/sbin/init) to launch a payload (/bin/fgfm) prior to booting. According to Fortinet, the issue arises because its FIPS-enabled devices check the integrity of system components and are set up to automatically shut down and stop booting in order to prevent a network breach if a compromise is detected.
The incident was identified when compromised Fortigate devices shut down with "System enters error-mode owing to FIPS error: Firmware Integrity self-test failed" notifications and failed to reboot. Moreover, in a report, Fortinet stated that numerous FortiGate firewalls belonging to one of its clients were compromised using CVE-2022-41328 vulnerability. Also, the products impacted by the FortiOS bug are FortiOS version 6.4.0 through 6.4.11, FortiOS version 7.0.0 through 7.0.9, FortiOS version 7.2.0 through 7.2.3, and all versions of FortiOS 6.0 and 6.2. On March 7, 2023, Fortinet already addressed the high-severity FortiOS bug, which is tracked as CVE-2022-41328, which was caused due to improper limitation of a pathname to a restricted directory vulnerability (CWE-22) in FortiOS, enabling a privileged attacker to read and write arbitrary files via crafted CLI commands. Fortinet, a global leader in cybersecurity solutions and services, revealed that unknown threat actors leveraging zero-day exploits to abuse a recently patched FortiOS vulnerability, leading to OS and file corruption and data loss to target governments and large organizations.
0 kommentar(er)
